Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20110327150546.GA16582@albatros>
Date: Sun, 27 Mar 2011 19:05:46 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: sysfs facility

Solar, all - 

I've wrote a draft version of sysfs facility for owl-control to restrict
access to contents of sysfs mount point.  It has only 2 modes - public
(currently implemented in every distro) and restricted.  It lacks
a group restriction.

The same works for procfs (e.g. to fix numerous ASLR infoleaks,
prevent exploitation of CVE-2011-1020, or just to restrict ps(1)).

root@...nshilla:~# control sysfs
public
root@...nshilla:~# control sysfs list
public restricted
root@...nshilla:~# ls -ld /sys
drwxr-xr-x 12 root root 0 2011-03-27 13:18 /sys
root@...nshilla:~# control sysfs restricted
root@...nshilla:~# ls -ld /sys
lrwxrwxrwx 1 root root 22 2011-03-27 18:57 /sys -> /var/run/mnt-sysfs/sys
root@...nshilla:~# ls -ld /var/run/mnt-sysfs/sys
drwxr-xr-x 12 root root 0 2011-03-27 13:18 /var/run/mnt-sysfs/sys
root@...nshilla:~# ls -ld /var/run/mnt-sysfs/
drwx------ 3 root root 60 2011-03-27 18:57 /var/run/mnt-sysfs/
root@...nshilla:~# su - vasya
vasya@...nshilla:~$ ls /sys
ls: cannot access /sys: Permission denied

root@...nshilla:~# control sysfs public
root@...nshilla:~# ls -ld /sys
drwxr-xr-x 12 root root 0 2011-03-27 13:18 /sys
root@...nshilla:~# su - vasya
vasya@...nshilla:~$ ls -ld /sys
drwxr-xr-x 12 root root 0 2011-03-27 13:18 /sys


#!/bin/bash

. /etc/control.d/functions

MNT_ORIG=/sys
MNT_RESTRIC=/var/run/mnt-sysfs/sys
MNT_TYPE=sysfs
NAME_LIST="public restricted"

#TODO: maybe create group u_sysfs?

MNT_CUR=`mount | grep "type $MNT_TYPE" | cut -d' ' -f3`

case "$*" in
list)
    echo "$NAME_LIST"
    ;;  
status|'')
    STATUS="`test -h `" || exit 1
    if [ -h "$MNT_ORIG" ]; then
        echo restricted
    else
        echo public
    fi  
    ;;  
public)
    if [ "$MNT_CUR" = "$MNT_ORIG" ]; then
        exit 0
    else
        [ -h "$MNT_ORIG" ] || [ ! -e "$MNT_ORIG" ] || exit 1
        rm -f "$MNT_ORIG"
        mkdir -p -m755 "$MNT_ORIG" || exit 1
        if [ -n "$MNT_CUR" ]; then
            mount --move "$MNT_CUR" "$MNT_ORIG" || exit 1
        fi  
    fi  
    ;;
restricted)
    if [ "$MNT_CUR" = "$MNT_RESTRIC" ]; then
        exit 0
    else
        umask 0077
        mkdir -p -m700 "$MNT_RESTRIC" || exit 1
        if [ -n "$MNT_CUR" ]; then
            mount --move "$MNT_ORIG" "$MNT_RESTRIC" || exit 1
        fi
        if [ -z "`ls $MNT_ORIG`" ]; then
            rmdir "$MNT_ORIG" || exit 1
            ln -s "$MNT_RESTRIC" "$MNT_ORIG" || exit 1
        else
            exit 1
        fi
    fi
    ;;
esac


-- 
Vasiliy

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.